NYT – Can You Make Yourself Smarter?

The headline “Can You Make Yourself Smarter?” caught my attention in the New York Times. The article describes a game “N back” that can be used to train working memory. Working memory is “the capacity to manipulate the information you’re holding in your head”. Researcher Torkel Klingberg found a relationship between working memory and IQ test results. Consequently, IQ is not fixed but could be improved by training.

I never took an IQ test myself and have only limited knowledge on how these tests work. However, I believe that it is possible to train for pretty much any test. Therefore, I do not find these results very surprising. Nevertheless, I find the connection between working memory and IQ very interesting.

Sidenote: The article contains an info box explaining typical ranges of IQ test results. It says: “132+ 2 percent; borderline genius; average I.Q. of most Ph.D. recipients” and “143+ 1 percent; genius level; about average for Ph.D.’s in physics.” Does this mean that the average physics PhD recipient is a genius? I expect a bit more from a “true” genius. What makes physics PhDs special?

Are password policies promoting weak password choices?

Passwords are one of the most cumbersome parts of modern life. It used to be enough to have a password for the UNIX account at work and a four digit PIN code for the debit card. But not anymore. Nowadays, almost everybody has several email accounts, social network logins, home banking, login to the favorite online newspaper, and so on.

Many people use the same password for everything. If one site gets corrupted – it might be because this password was not strong enough or because the site got hacked – all other logins are open to the attacker. A solution is the use of a password manager. But in some cases this is not practical (and of course we need at least one password to unlock the password manager…). Therefore, finding a way to generate safe but easy to remember passwords is arguably a big challenge to computer security.

In many organizations, password policies are used to enforce a minimum level of password strength. In a recent blog post, John Fontana argues that most password policies actually decrease password security. He cites Cameron Morris who proposes password policy improvements and wrote a tool called Passfault to measure password strength.

After reading about weak passwords a few years ago, I started to use a small command line toll called pwgen to generate random passwords. as it turns out, 7 random characters is pretty much the most I can remember.  In fact, there were several embarrassing incidences where I had to call IT support only half an hour after choosing a new password because I forgot it. Passfault estimates that a random password generated with “pwgen 7” contains 78 billion pattern and can be cracked in about 1 day – sounds not bad to me.

The makers of webcomic xkcd propose an alternate way to make up strong passwords. They suggest to choose 4 random words which are easier to remember than random strings. Knowing my memory, I put this to the test with just 3 random words “garden dolphin dictionary” using the Passfault tool. result: 27 quadrillion pattern taking an estimated 9 centuries to crack – wow! And it is really easy to remember: I lost this paragraph while writing the post but was still able to remember my password while I typed it again later on.

Unfortunately, most password policies do not allow a password like “garden dolphin dictionary”. Some password policies do not allow use of common words. Users can get around this by “keyboard shifting”. For instance, “bird” becomes “notf” on an US keyboard shifting all key presses one position to the right. This does not significantly enhance password strength and some password cracking programs are optimized to detect this.They often require the inclusion of numbers and special characters like ‘&’. As a consequence, users tend to substitute some letters with numbers, a technique well known to password crackers.

A quick web search reveals that there are many opinions on this topic.  For instance, take a look at Per Thorsheim’s Security Nirvana, Schneier on Security who simply advocates to write the password on a piece of paper, and this discussion at Stack Exchange. Personally, I have to say that I like the idea of using a few simple random words – I seem to be able to remember this much better than other passwords. For passwords I have to type often, e.g., to unlock screens, I still prefer shorter random strings. In the end, the single day necessary to crack the above mentioned 7 character random string password by brute force might still provide good enough security for me.